- It can be daunting to choose the right mobile tools to help a healthcare organization stay innovative. It can be even more daunting though to ensure that mobile security remains a top priority and that PHI stays secure.
Healthcare IT leaders might see the value in implementing mobile options, but studies show that security is often a top concern.
How can entities properly budget for mobile options? What are the potential consequences if a HIPAA violation occurs? Why is employee training so critical for strong mobile security?
In this primer, HealthITSecurity.com outlines four key considerations with mobile security. Organizations of all sizes must budget for cybersecurity, choose the right mobile tools, conduct regular employee training, and maintain HIPAA compliance with all devices.
Choosing the right mobile healthcare tool
Different mobile solutions will be beneficial at different healthcare organizations. Secure messaging might be necessary for larger hospital systems with specialty clinicians who need to communicate with patients. Smaller providers might not require the same mobile strategies.
Regardless, mobile security must be a key consideration throughout the entire decision-making process.
Direct secure messaging is becoming more popular, for example. DirectTrust is a non-profit trade alliance that facilitates secure HIE through the Direct Protocol. July 2017 numbers showed a 15 percent increase in the number of trusted Direct addresses able to share PHI.
There was also a reported 68 percent increase in the number of healthcare organizations served by DirectTrust health information service providers (HISPs) and engaged in Direct exchange.
The American Hospital Association’s Hospital & Health Networks (H&HN) Most Wired rankings showed that nearly three-quarters of the Most Wired hospitals offer secure messaging with clinicians on mobile devices.
Seventy-four percent said they use secure emails for patients and families to maintain contact with the care team when patients require ongoing monitoring at home. Sixty-two percent of respondents also said they can simplify the prescription renewal process by letting patients make the requests on mobile devices.
“The Most Wired hospitals are using every available technology option to create more ways to reach their patients in order to provide access to care,” AHA President and CEO Rick Pollack said in a statement. “They are transforming care delivery, investing in new delivery models in order to improve quality, provide access and control costs.”
Pagers are however still a popular tool for many healthcare organizations, according to a study published in the Journal of Hospital Medicine. Nearly 79 percent of respondents said they are provided pagers for communications, while 49 percent said they receive patient care–related (PCR) communication through pagers.
Fifty-three percent of 567 clinicians also said they received standard text messages once or more per day.
For secure messaging, 26 percent of 549 of those surveyed said that their organization had implemented a secure messaging option that was being utilized by some clinicians.
Overall, healthcare providers need to opt for mobile options that will aid staff members in daily operations without compromising data security.
Budgeting for necessary mobile security tools
Cybersecurity budget and resource constraints are often cited by providers as hindrances to data security. Healthcare organizations cannot expect to properly keep data secure if they do not have the necessary funds to purchase, implement, and utilize the right security tools.
With mobile security, this could include budgeting for mobile device management (MDM) solutions if BYOD is being used in a hospital. Or, a provider might need to ensure that it can afford to hire a CISO to help lead the security team.
A recent Spok survey that was administered by CHIME found that 56 percent of healthcare CIOs say that budget and resource constraints are the largest threat to patient data security. Ninety-five percent of respondents also said they were concerned about data becoming compromised, while approximately one-quarter stated they are unsure how much PHI is being shared unsecurely.
“Mobility and clinical process improvements are important to hospital leaders, and CIOs plan to make impactful changes,” the survey authors explained. “However, the execution remains a work in progress.”
Sixty-nine percent of those surveyed said mobile strategies were a key initiative to improving clinical and operational outcomes. The survey also found that 40 percent of CIOs are considering or planning to hire consultants in the next 12 months to aid in the mobile communications process.
However, a ZingBox survey from July 2017 revealed that some healthcare IT decision makers find traditional security solutions used for securing laptops and servers were also enough for IoT connected medical device security. This could indicate inconsistent approaches when it comes to choosing which investments are necessary for healthcare security.
Seventy percent of respondents said their traditional security solutions were enough, while nearly 75 percent added that they are confident or very confident that all devices connected to their network are protected.
"IoT technology presents special challenges to a healthcare organization's ability to protect itself from both insider threats as well as external cyber-attacks across a wide range of attack vectors, as demonstrated by the most recent WannaCry ransomware and NotPetya wiperware attacks,” ZingBox CEO and Co-founder Xu Zou said in a statement. “As these attacks continue to step to the forefront, companies deploying IoT devices need to be more cognizant than ever of their security measures.”
Organizations need to have communication between the C-suite and IT teams, ensuring that everyone understands the areas in which stronger data security measures are required. Mobile security solutions can differ from traditional legacy options, and applicable privacy and security tools need to be budgeted for and implemented properly.
Implementing regular employee training
Once a mobile option has been chosen and then budgeted for, employees at all levels must be trained and educated on how to use it. Employees are often cited as a top security threat to an organization, as it only takes one individual to download a malicious link, have a smartphone stolen, or send PHI to the wrong email.
OCR’s July Cybersecurity Newsletter underlined the importance of data security training, especially as the threat landscape continues to evolve.
“Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants [should be considered],” OCR stated.
Computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions can all help the employee security training process. Workforce training must also be properly documented, including dates and types of training, training materials, and evidence of workforce participation.
HIMSS Analytics revealed in a recent survey that 80 percent of surveyed health IT executives and professionals find that employee security awareness is their greatest concern regarding healthcare data security.
Seventy-nine percent of those surveyed also said that competing priorities were a top barrier in adopting a comprehensive security program, while 74 percent cited budget concerns.
“While the research uncovered only a 'modest' concern around the prospect of a security breach within hospital organizations over the next 12 months, providers are looking for closer partnerships with their network providers,” HIMSS Analytics Senior Director of Research Services Bryan Fiekers said in a statement. “My interpretation of the findings is that healthcare organizations must remain vigilant against cyber security threats and leverage all of their resources effectively to ensure every individual knows their role.”
Understanding HIPAA compliance for mobile options
The HIPAA Security Rule does not require specific technology solutions when it comes to mobile device technical safeguards. HHS does require that entities implement reasonable and appropriate security measures for standard operating procedures.
For mobile security, this means for example that a hospital utilizing smart phones will need to implement applicable security measures for those devices. This could include having remote wipe capability. That way if a phone is lost or stolen, the hospital can delete any potentially sensitive information on the device before it can fall into the wrong hands.
“HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan,” HHS explains on its site. “Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”
Failing to adhere to HIPAA regulations with mobile devices could lead to heavy fines. OCR reached a $2.5 million settlement with Pennsylvania-based CardioNet in April 2017 for lacking mobile security safeguards.
CardioNet did not have a sufficient risk analysis and risk management processes in place when a laptop was stolen in January 2012, according to OCR.
“Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented,” OCR said in a statement. “Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”
OCR also investigated a second reported data breach at CardioNet. The agency determined that CardioNet did not implement necessary policies and procedures on how electronic media containing ePHI should be treated. Data encryption was not considered, nor was the proper procedure for how devices could be removed from the facility, OCR stated.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” OCR Director Roger Severino said in a statement. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
Mobile devices can assist healthcare organizations, but security cannot be an afterthought. Choosing the right tools, training employees, and focusing on HIPAA compliance will help covered entities find the right balance between innovation and security.